Effective Date: 16th September 2025
Rsvpeas provides a platform for users to manage their wedding invitations and RSVPs for events. We respect your privacy and are committed to protecting your personal information. This Privacy Policy explains what data we collect, how and why we process it, how we share it, the rights you have under applicable laws (including the UK GDPR, the Data Protection Act 2018, the EU GDPR, CCPA/CPRA, and PIPEDA), and the safeguards we apply to protect your information. If anything here is unclear, please contact us using the details at the end of this policy.
For users in the United Kingdom, the European Economic Area (EEA), and other regions where applicable, Rsvpeas is the “data controller” responsible for your personal data when you use Rsvpeas. This policy applies to your use of our website, web application, and related services, as well as to communications you have with us by email or other channels connected to our service.
We collect information that you provide directly to us, such as your name, contact details, login credentials, communications, and any content you submit while using our features. We also collect information automatically through cookies and similar technologies, including device identifiers, log data, IP addresses, usage information, and diagnostics, which help us operate, secure, and improve our services. Where relevant to our service, we may also receive limited information from third parties that integrate with our platform, and we process that information in accordance with this policy and our agreements with those partners.
We use personal data to provide and maintain our services, authenticate and secure accounts, personalise experiences, respond to support requests, process payments and billing, send service and transactional messages, analyse performance and usage, enforce our terms, comply with legal obligations, and protect the rights, safety, and integrity of our users and our platform. We also use aggregated or anonymised information for research, statistics, and product development that does not identify you.
Where the UK GDPR or EU GDPR applies, we process personal data on the following legal bases: to perform a contract with you or take steps at your request prior to entering a contract; to comply with our legal obligations; for our legitimate interests in operating, improving, and securing our services, provided those interests are not overridden by your rights and interests; and, where required, on the basis of your consent, which you can withdraw at any time.
We do not sell your personal information. For California residents, we also do not share personal information for cross-context behavioural advertising as defined by the CCPA/CPRA. If we ever propose to engage in activities that would be considered a sale or sharing under applicable law, we will provide clear notice and an opportunity to opt out via a dedicated mechanism.
We share personal data with trusted service providers only to the extent necessary to deliver our services and for the purposes described in this policy. These include cloud hosting and storage providers, security and monitoring vendors, payment processors, customer support tools, analytics providers, and email or notification delivery services. Each provider is bound by a written data processing agreement requiring confidentiality, robust security controls, and a prohibition on using personal data for their own independent purposes.
We may disclose personal data if required by law, regulation, subpoena, or court order, or when we believe in good faith that disclosure is necessary to protect our rights, investigate fraud, ensure user safety, or respond to a lawful request from a competent authority. In the event of a reorganisation, merger, or acquisition, we will ensure that the successor entity is subject to obligations consistent with this policy.
We apply technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration, and destruction. Data in transit is protected using modern transport encryption (TLS 1.2 or higher), and data at rest is encrypted using strong encryption (such as AES-256). We use role-based access controls with the principle of least privilege, enforce multi-factor authentication where appropriate, and regularly review access permissions. We employ managed key services with strict access controls and periodic key rotation, maintain vulnerability management and intrusion detection, and conduct periodic penetration testing and, where appropriate, independent security assessments. While no method of transmission or storage is completely secure, we continually improve our safeguards to reduce risk.
Because we operate and use service providers around the world, your personal data may be transferred to and processed in countries outside your jurisdiction, including countries that may not provide the same level of data protection as your home country. Where required, we implement appropriate safeguards for such transfers, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Agreement (IDTA) or Addendum, and reliance on applicable adequacy regulations. We will take steps to ensure that transferred data remains protected in accordance with this Privacy Policy and applicable law.
We retain personal data only for as long as necessary to fulfil the purposes described in this policy, including to meet legal, accounting, and reporting requirements. Account profile data is retained for as long as your account is active. If your account becomes inactive, we will securely delete or anonymise associated personal data after twenty-four months of inactivity, unless a longer period is required by law or is necessary to establish, exercise, or defend legal claims. Transaction and billing records are generally retained for a minimum of seven years to satisfy HMRC tax and financial record-keeping obligations. Security and application logs used for diagnostics and threat detection are typically retained for up to ninety days before being deleted or anonymised. When data is no longer needed, we will delete it or irreversibly de-identify it in a manner that cannot reasonably be reversed.
Subject to applicable law, you may have rights to access, correct, update, or delete your personal data; to receive a portable copy of certain information; to object to or restrict certain processing (including processing based on legitimate interests or for direct marketing); and to withdraw consent where processing is based on consent. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.
Residents of California have the right to know the categories and specific pieces of personal information we collect, to request deletion, to correct inaccurate information, and to be free from discrimination for exercising these rights. UK residents have rights under the UK GDPR and Data Protection Act 2018, including the right to complain to the Information Commissioner's Office (ICO). We will respond to verified requests within the timelines required by law—generally within thirty days under the UK GDPR/EU GDPR and within forty-five days under the CCPA/CPRA, with possible extensions where permitted.
You can exercise your rights by contacting us using the details in the “Contact Us” section. We may need to verify your identity before fulfilling your request. You may also designate an authorised agent to submit a request on your behalf where permitted by law.
We use cookies and similar technologies to provide core functionality, keep you signed in, remember preferences, measure site performance, and help secure our services. You can control certain cookies through your browser settings or system preferences and, where required by law, we will request your consent before setting non-essential cookies. Our cookie practices are further explained in our Cookie Notice, which works in tandem with this Privacy Policy.
Our services are not directed to children. We do not knowingly collect or process personal data from anyone under sixteen years of age in the United Kingdom or European Economic Area, or under thirteen years of age in the United States, in accordance with applicable laws. If you believe a child has provided us with personal data in violation of this policy, please contact us and we will take appropriate steps to delete such information promptly.
We may send you transactional or service-related communications that are necessary to provide our services to you. Where required by law, we will seek your consent for marketing communications, and you may withdraw that consent at any time by using the unsubscribe link in our emails or by contacting us. Please note that even if you opt out of marketing messages, we may still send important transactional or service notices.
We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or privacy practices. When we make material changes, we will update the “Effective Date” at the top of this page and, where required, provide you with additional notice such as by email or within the service. Your continued use of the services after the effective date of an updated policy constitutes your acceptance of the changes.
If you are located in the United Kingdom, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you are unhappy with how we handle your personal data. Contact details are available at https://ico.org.uk/. We encourage you to contact us first so we can address your concerns directly and attempt to resolve any issues. If you are located in the EEA, you may lodge a complaint with your local data protection authority.
If you have questions, requests, or complaints about this Privacy Policy or our handling of your personal data, please contact us:
Email: privacy@rsvpeas.co.uk
Data Protection Officer: dpo@rsvpeas.co.uk